Sunteți pe pagina 1din 24

Assessment Presentation

Philip Robbins - July 14, 2012


University of Phoenix Hawaii Campus

Fundamentals of Information Systems Security
Scope & Applicability
UOPX Courses
- CIS 207 Information Systems Fundamentals
- CMGT 244 Intro to IT Security
- CMGT 245 IS Security Concepts
- CMGT 400 Intro to Information Assurance & Security
- CMGT 440 Intro to Information Systems Security
- CMGT 441 Intro to Information Systems Security Management
- CMGT 430 Enterprise Security
- CMGT 442 Information Systems Risk Management

Objectives
Review of Concepts. What is (are):
- Information Systems?
- Information Security?
- Information Systems Security?
- Information Assurance?
- Cyber Security?
- Defense in Depth?
Significance / Importance of Concepts
Advanced Topics in Security Risk Analysis
Present & Future Challenges
Q&A

Who am I?
Information Systems Authorizing Official Representative
- United States Pacific Command (USPACOM)
- Risk Management Field
- Assessments to USPACOM Authorizing Official / CIO

Former Electronics Engineer
Bachelor of Science in Electrical Engineering
Master of Science in Information Systems
Ph.D. Student in Communication & Information Sciences
Certified Information Systems Security Professional
(CISSP) and Project Management Professional (PMP)

Review of Concepts
What are Information Systems?
- Systems that store, transmit, and process information.
+
What is Information Security?
- The protection of information.
-------------------------------------------------------------------------------
What is Information Systems Security?
- The protection of systems that store, transmit, and
process information.
Review of Concepts
What is Information Assurance?
- Emphasis on Information Sharing
- Establishing and controlling trust
- Authorization and Authentication (A&A)

What is Cyber Security?
- Protection of information and systems within networks
that are connected to the Internet.
Review of Concepts
Progression of Terminology
Computer Security
(COMPUSEC)
Information Security
(INFOSEC)
Information Assurance
(IA)
Cyber Security
Legacy Term (no longer used).
Legacy Term (still used).
Term widely accepted today with
focus on Information Sharing.
Broad Term quickly being adopted.
Review of Concepts
What is the Defense in Depth Strategy?
- Using layers of defense as protection.
People, Technology, and Operations.
DATA
APPLICATION
HOST
INTERNAL NETWORK
PERIMETER
PHYSICAL
POLICIES &
PROCEDURES
Onion Model
Review of Concepts
Defense in Depth Primary Elements
Integrity
ISS
Availability
ISS
PEOPLE TECHNOLOGY
OPERATIONS
P
R
O
T
E
C
T
D
E
T
E
C
T
R
E
A
C
T
Information Security Services
INFORMATION
SECURITY
Confidentiality
ISS
Information Assurance
Services
Continuity IAS
Physical IAS
Cyber IAS
Configuration IAS
Training IAS
Identity A&A IAS
Content IAS
DiD PDR Paradigm
INFORMATION ASSURANCE
ISS Management
What is a Backup Plan (BP) vs Disaster Recovery Plan
(DRP) vs Emergency Response Plan (ERP) vs Business
Recovery Plan (BRP) vs Business Impact Analysis (BIA)
vs Incident Response Plan (IRP) vs Continuity of
Operations Plan (COOP) vs Contingency Plan?

Policy & Planning
Test, Audit, Update
Configuration Control

Protection, Detection, Reaction
(Assessment, CND, Incident Response)
Why is this important?
Information is valuable.
therefore,
Information Systems are valuable.
etc

Compromise of Information Security Services (C-I-A)
have real consequences (loss)
- Confidentiality: death, proprietary info, privacy, theft
- Integrity: theft, disruption
- Availability: productivity lost, C2, defense, emergency
services

Why is this important?
Fixed Resources
Sustainable strategies reduce costs

Time
C
o
s
t
Incidents
PROTECT
DETECT
REACT
Without DiD
With DiD
Cost Prohibitive/
Threshold
Advanced Topics: Measuring Risk
What is Risk?



thus


Qualitative v.s. Quantitative Methods
Risk Assessments v.s. Risk Analysis
Security Risk Analysis (SRA)
Units for measurement?

Advanced Topics: Measuring Risk
Risk is conditional, NOT independent.



Advanced Topics: Measuring Risk
Quantitative, time-dependent (continuous),
Risk Distribution Function:

Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems (Master's Thesis). Hawaii Pacific University, Honolulu, HI.

Advanced Topics: Measuring Risk
Expected Value of Risk = Product of Risks


Risk is never zero




Risk Dimension (units): confidence in ISS, C-I-A


Advanced Topics: Measuring Risk
Expected Value and Risk Loss Confidence vs
Cumulative Risk Product


Advanced Topics: Measuring Risk
Quantitative Risk Determination Expression



Risk Rate & Risk Variability
Adjudication of Risk



Advanced Topics: Measuring Risk
Determining Risk Tolerance / Threshold Levels


Advanced Topics: Measuring Risk
Risk Areas as a function of Probability and Impact


Present Challenges
Rapid growth of Advanced Persistent Threats (APTs)
Half million cases of cyber related incidents in 2012.
Is this a problem?
What about vulnerabilities
associated with
interconnections?

Source: US-CERT

Future Challenges
Cyberspace: Are we at war?
Cyber Crime vs Cyber Warfare vs Cyber Conflict

ATTACK
Destruction
CYBER CONFLICT
CYBER WARFARE
CYBER CRIME
SABOTAGE
Disruption
ESPIONAGE
Spying / Theft of Information
Closing Thoughts
Information Systems Security (Cyber Security) is an
explosive field.
- Spanning Commercial, Private and Government Sectors
- Demand >> Capacity: Strategies, solutions, workforce
- $
- Evolving field (not fully matured)

Security will change our communications landscape
- Efficiencies (centralization of services, technology)
- Intelligent design of network interconnections and
interdependencies
- Regulations

Thank you!




Got Questions?

S-ar putea să vă placă și